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Reference 


:(U)(X HQ EC’s dated 2/9/98, and 2/12/98. 


Enclosures :(U) 


Enclosed for FBIHQ/CITAC are the following: 


1) 22 pages of logs provided by University of 
California-Davis. 


Boulder. h ) 

Details M jX On 2/2/98, | | Computer Security 

Analyst, Information Resources, Division of Information 
Technology, University of Cal ifornia, 1 Shiel ds Avenue, Davis, 
California, 95616, telephone | | advised all 17,000 

computers in the University of California-Davis (UCD) network 
have been attacked using a “statd" probe between 1/25/98 and 
1/28/98. Page 6 of enclosure 1, UCD Incident Response Team 
(UCDIRT) notice #63, identified the initial probes as originating 
from netgate.saes.com. The initial attack lasted almost twenty- 
four hours. Three UCD hosts (ging.ucd.edu, 


2) 3 logs provided by the University of Colorado- 
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junior.itd.ucdavis.edu, and guardian.ucdavis.edu) had TCP 
connections to other services during the attack. The Sun remote 
procedure connections from saes.com were the only ones logged in 
for that week. Saes. com was registered to St. Andre ws School, 
Bethesda, Maryland. I I was 

identified as the technical contact. 

-£sC( In the opinion of _ UCDIRT leader, this 

attack was probably used to generate a list of hosts running 
“statd.” The “statd” systems were then hit from computers located 
at Harvard University and Columbia University. Pages 7 through 
10 of enclosure 1, identify the two computers at Harvard and 
Columbia as scotia.harvard.edu, and bone.tc.columbia.edu. Three 
hosts were intruded. The compromised computers were running 
Solaris 2.4. 


M psQ |_| was the administrator for one of 

the compromised hosts in the Ge ology Departm ent. After replacing 
Solaris 2.4 with Solaris 2 .5.1. I I examined logs from 

January 17, and 18, 1998. I [ discovered another “statd” 

attack. On-January 18, 1998, the intru der gained root access. 

The orjoin of the attack appeared to be | | 

| | Pages 4 and 5 of enclosure 1 represent 

examples of the “statd” attacks which occurred on January 17, and 
18. 


. IU) [ Associate Professor, 

Department of Computer Science, reviewed lo gs and discover ed 

“imapd” probes during Janu ary 18, 1998, from j I _ 

| Page 3 of enclosur e 1 is| 

addendum to UCDIRT notice #63. According to | | "imapc 

programs serve the same purpose as “statd” programs, that is, 
port mapping. 


,U1 £8Q Likewise, another UCD administrator, | | 

reviewed logs and discovered additional attempted “imapd” probes 
as early as November 18, 1997. The origin of .these “imapd" 
probes appeare d to be | | Pages 1 and 2 of 

enclosure 1 is | | addendum to UCDIRT notice #63. 

(U) £g() Sacramento provided relevant UCD logs to the 

following: _ _ 

1) _ Columbia University, 

administrator for bone.tc.columbia.edu. 


Harvard University, 
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| administrator for scotia.harvard.edu. 

3) | | St. Andrews, I ~ 

administrator for netgate.saes.com. 

iU> M | 1 provided pages 1 8, 19 and 20 of enclosure 

1. I | noted, SA | 1 FBI Clev eland, I | 

I had also requested this information. SA | | was 

contacted. SA | | confirmed he was a ware of C olu mbia’s 

in formation, and had traced the intruder to | 1 in | | 

SA I I wa s preparing to serve a search w arrant on the 

subscriber. SA | l was also advised the I I intruder 

had successfully penetrated the UCD computer used for campus 
events and visitor services, had create d a directory cal led 
/home/meta and a password e ntry name of I I 

According to SA | | this was the leitmotiv of his 

intruder. Pages 15, 16, and 17 of enclosure 1 were provided to 
SA | T 

W | | Harvard University, advised he 

had no logs for scotia.harvard.edu. | ~~| St. Andrews, 

likewise advised he had no logs for ne tgate.saes.com . However, 

I ~1 added he had been contacted by I I University of 

Colorado-Boulder. 


(U) ($$ | | Univ ersity o f Colorado-Boulder, |_ 

j | provided enclosure 2. | ~~| advised his network had 

been the' target of a ''sta td” probe from netgate.saes.com, 
computer I I The three compromised University of 

Colorado machines were all running Solaris 2.4+. 


_W "pQ On 2/26/98, UCD Computer Security Analyst I I 

| was asked if the University had any indication their 
UCD machines had be en used to launch flood attacks on any other 
computer networks. I I said they had received a few 

complaints concerning some internet relay chan nels which had been 
flooded, but nothing else. On the other hand, | pointed 

out the UC D computers logged only TCP/telnet connections. 
Therefore, ! I did not believe UCD Administrators would be 

aware of a ny ping attacks launched from their networks. 

_ added, UCD Administrators could track something other 

than standard TCP/Telnet connections only if the suspect activity 
occurred coincident with the tracking. 

Sacramento is attempting to identify the 
subscriber who launched the “statd" probes from 
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Any other leads will be 

left to the discretion of OSIIP/CITAC. 


♦ ♦ 
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